#CryptoLocker ransomware is terrorizing home and business users alike. CryptoLocker is Windows-based ransomware that encrypts files on local drives and network shares, and then demands payment to unlock them. Funds are requested via untraceable payment methods like Bitcoin and MoneyPak. CryptoLocker uses asymmetric encryption, with the private key held by the author or distributor of the malware. Unfortunately, it uses a strong algorithm that makes it practically impossible to decrypt the data without knowing the keyWhat CryptoLocker does When the malware runs, it proceeds as follows: 1. CryptoLocker installs itself into yourDocumentsandSettingsfolder, using a randomly-generated name, and adds itself to the list of programs in your registry that Windows loads automatically every time you logon. 2. It produces a lengthy list of random-looking server names in the domains.biz,.co.uk,,.info,.net,.organd.ru. 3. It tries to make a web connection to each of these server names in turn, trying one each second until it finds one that responds. 4. Once it has found a server that it can reach, it uploads a small file that you can think of as your “CryptoLocker ID.” 5. The server then generates a public-private key pair unique to your ID, and sends the public key part back to your computer. → Remember that public-key cryptography uses two different keys: a public key that locks files, and a private key that unlocks them. You can share your public key widely so that anyone can encrypt files for you, but only you (or someone to whom you have given a copy of your private key) can decrypt them. 6. The malware on your computer uses this public key to encrypt all the files it can find that match a largish list of extensions, covering file types such as images, documents and spreadhseets. → Note that the malware searches for files to encrypt on all drives and in all folders it can access from your computer, including workgroup files shared by your colleagues, resources on your company servers, and possibly more. The more privileged your account, the worse the overall damage will be. 7. The malware then pops up a “pay page,” giving you a limited time, typically 72 hours, to buy back the private key for your data, typically for $300. (The price point is suprisingly similar to what it was back in 1989.) → With the private key, you can recover your files. Allegedly. We haven’t tried buying anything back, not least because we know we’d be trading with crooks.
Posted on: Sat, 23 Nov 2013 11:20:54 +0000
Trending Topics
Recently Viewed Topics
© 2015